From: Sanyam Kumat <124618873+sanyamk23@users.noreply.github.com>
Date: Sat, 6 Jun 2026 21:38:15 +0000 (+0530)
Subject: gh-148954: Escape methodname in xmlrpc.client.dumps() to prevent XML injection (GH...
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=ab930175e7e909aaa3ec7e761bfdbb886677bebb;p=thirdparty%2FPython%2Fcpython.git
gh-148954: Escape methodname in xmlrpc.client.dumps() to prevent XML injection (GH-148968)
---
diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
index 2803c6d45c27..ee0e24f6e86a 100644
--- a/Lib/test/test_xmlrpc.py
+++ b/Lib/test/test_xmlrpc.py
@@ -208,6 +208,17 @@ class XMLRPCTestCase(unittest.TestCase):
self.assertEqual(xmlrpclib.loads(strg)[0][0], value)
self.assertEqual(xmlrpclib.loads(strg)[1], methodname)
+ def test_dump_escape_methodname(self):
+ payload = 'foobar'
+ s = xmlrpclib.dumps((), methodname=payload)
+ self.assertIn(
+ 'foo</methodName><injected attr="evil"/>'
+ '<methodName>bar', s
+ )
+ self.assertNotIn('', s)
+ load, m = xmlrpclib.loads(s)
+ self.assertEqual(m, payload)
+
def test_dump_bytes(self):
sample = b"my dog has fleas"
self.assertEqual(sample, xmlrpclib.Binary(sample))
diff --git a/Lib/xmlrpc/client.py b/Lib/xmlrpc/client.py
index f441376d09c4..84e4e4d11a73 100644
--- a/Lib/xmlrpc/client.py
+++ b/Lib/xmlrpc/client.py
@@ -965,7 +965,7 @@ def dumps(params, methodname=None, methodresponse=None, encoding=None,
data = (
xmlheader,
"\n"
- "", methodname, "\n",
+ "", escape(methodname), "\n",
data,
"\n"
)
diff --git a/Misc/NEWS.d/next/Library/2026-04-24-19-54-00.gh-issue-148954.v1.rst b/Misc/NEWS.d/next/Library/2026-04-24-19-54-00.gh-issue-148954.v1.rst
new file mode 100644
index 000000000000..6245af7e362e
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2026-04-24-19-54-00.gh-issue-148954.v1.rst
@@ -0,0 +1 @@
+Fix XML injection vulnerability in :func:`xmlrpc.client.dumps` where the ``methodname`` was not being escaped before interpolation into the XML body.